Companies spend hundreds of millions of dollars on computer security. Unfortunately most of this expense is smoke and mirrors. They install security software and monitoring tools. Controls are document and reviewed on a regular basis (think Sarbanes Oxley and laugh if you are in the business). And all to what purpose? Mostly "Show and Tell" for internal Auditors and executives that have no idea of the real exposures they face. But it all looks good on paper.

Contrary to popular belief, these exposures do not have to be exploited by computer geniuses. Often, only a rudimentary understanding of a system or program will provide a wide open door to the company jewels. In fact, many security breaches are accomplished by computer literates. So before you authorize another million dollars on the latest and greatest security product, take a look at the simple stuff that shoots management in the foot every day.

You have strict standards for all Platforms and Operating systems. So what makes you think they are really followed? Oh, the auditors said they were.

Ask your staff if development systems are ever directly upgraded to production
systems. If they are (and I assure you many are) it is likely that one or more conditions exist:

• The developer still has administrative access to the operating system,Data Bases and Applications.

• Software was installed with the vendor Userid and Password and was never changed (first thing a hacker looks for)

• There are shared Userids and passwords still on the system that were used for testing
• Standard Operating System Parameters required for production were not set prior to development and programs will not work as developed if standards are turned on now.
• The system was developed using real customer data and that data is still sitting somewhere unprotected from developers.

Your Policy says that Sensitive and Confidential data must be secured. They show you the security they have in place to accomplish this.

Ask some direct questions:

• Do you know every place in the network that this data is stored (I assure you they do not - but there are $ways to find out)
• Can authorized people print it out and leave it around for anyone to see or copy?
• Can the same people attach this data to an Email and send it outside the network unencrypted? (Probably happens every day)
• Is any of this data on unsecured, unencrypted Laptops that can be lost or stolen?

What about Web Applications? Expect to be reassured that security on Routers, Firewalls, and Intrusion Appliances are strong and constantly monitored.

But when was the last time you:

• Conducted a Network Penetration Attack Study? (Outside parties such as Price Waterhouse Coopers or Ernst & Young will almost certainly identify serious oversights that should be corrected).
• Are the Web Applications themselves secure? Chances are that the code is not all that good and provides opportunities for malicious behavior (have high-risk application code reviewed.

Then there is my personal favorite; Passwords. Strict standards are adhered to. These are enforced by Network Software and we force password changes every thirty days. Impressive!

But not all passwords are changed every thirty days.

• System Support (the propeller heads) commonly use a single Userid and Password for multiple systems. Any intruder gaining access to these lists can rip through your network at will.
• Who keeps a list of these Userids and Passwords (I assure you there are many).
• Who has access to the directory and files where they are stored (make them show you the access list right then and there).
• Are the files encrypted? Not likely. (Remember, these Userid and Password are the keys to the kingdom).
• So when you fired the last System Administrator you changed all the Administrative Userid and Passwords? Not likely.

    Note: Log on Userids and Passwords are not sufficient for this level of access 

There is nothing here too "Techy" to be understood. If you can get control of these common problems you will have closed huge holes in your Information Security Program.

Old saying - If you can’t dazzle-um with your brilliance, baffle-um with your Bull S___. Don’t let-um do it to you!

Don'ts

Never ever use you user name as the password. That is probably one of the first thing people try. Other things that peopletry as passwords are Calendar months i.e. March or week days i.e. Monday. you should also never use dates as passwords. So if you are thinking about using your birthday as password forget it think again. When choosing a password never use a sequence ie 22222222 or 12345678 or qwertyu.

If your password is in the dictionary of any language then there is a very good chance that some hacker will be able to break into your account. Password should be kept secret. Don't share them with anyone and don't write them down. If you have to give someone your password for whatever reason, make sure you change it asap after the person has finished with whatever he/she was doing. I have friends that use the same password on all websites that they use. Does that make sense? No! If one account is broken into all of them are broken into. Which leads us to the Does.

Dos

Make sure you use different passwords for different websites. make it as difficult as possible for anyone to simply guess your password. Use a mixture of UPPERCASE and lowercase letters and as many numbers and symbols (where allowed) as possible. Make sure you your chosen password is at least 8 characters long and remember the longer the better.

Microsoft has a website where you can check your password strength. (HERE) You might be surprised that your password is very weak. Change your password regularly. Every month if possible but at least every 90 days. I hope this will help you to keep your stuff save and secure.